Botan 3.9.0
Crypto and TLS for C&
bigint.cpp
Go to the documentation of this file.
1/*
2* BigInt Base
3* (C) 1999-2011,2012,2014,2019 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/bigint.h>
9
10#include <botan/internal/bit_ops.h>
11#include <botan/internal/ct_utils.h>
12#include <botan/internal/loadstor.h>
13#include <botan/internal/mem_utils.h>
14#include <botan/internal/mp_core.h>
15#include <botan/internal/rounding.h>
16
17namespace Botan {
18
19BigInt::BigInt(uint64_t n) {
20 if constexpr(sizeof(word) == 8) {
21 m_data.set_word_at(0, static_cast<word>(n));
22 } else {
23 m_data.set_word_at(1, static_cast<word>(n >> 32));
24 m_data.set_word_at(0, static_cast<word>(n));
25 }
26}
27
28//static
30 return BigInt(n);
31}
32
33//static
35 BigInt bn;
36 bn.set_word_at(0, n);
37 return bn;
38}
39
40//static
42 if(n >= 0) {
43 return BigInt::from_u64(static_cast<uint64_t>(n));
44 } else {
45 return -BigInt::from_u64(static_cast<uint64_t>(-n));
46 }
47}
48
49//static
51 BigInt bn;
52 bn.grow_to(size);
53 return bn;
54}
55
56/*
57* Construct a BigInt from a string
58*/
59BigInt::BigInt(std::string_view str) {
60 Base base = Decimal;
61 size_t markers = 0;
62 bool negative = false;
63
64 if(!str.empty() && str[0] == '-') {
65 markers += 1;
66 negative = true;
67 }
68
69 if(str.length() > markers + 2 && str[markers] == '0' && str[markers + 1] == 'x') {
70 markers += 2;
71 base = Hexadecimal;
72 }
73
74 *this = decode(as_span_of_bytes(str).subspan(markers), base);
75
76 if(negative) {
78 } else {
80 }
81}
82
83BigInt BigInt::from_string(std::string_view str) {
84 return BigInt(str);
85}
86
87BigInt BigInt::from_bytes(std::span<const uint8_t> input) {
88 BigInt r;
89 r.assign_from_bytes(input);
90 return r;
91}
92
93/*
94* Construct a BigInt from an encoded BigInt
95*/
96BigInt::BigInt(const uint8_t input[], size_t length, Base base) {
97 *this = decode(input, length, base);
98}
99
100//static
101BigInt BigInt::from_bytes_with_max_bits(const uint8_t input[], size_t length, size_t max_bits) {
102 const size_t input_bits = 8 * length;
103
104 auto bn = BigInt::from_bytes(std::span{input, length});
105
106 if(input_bits > max_bits) {
107 const size_t bits_to_shift = input_bits - max_bits;
108
109 bn >>= bits_to_shift;
110 }
111
112 return bn;
113}
114
115/*
116* Construct a BigInt from an encoded BigInt
117*/
118BigInt::BigInt(RandomNumberGenerator& rng, size_t bits, bool set_high_bit) {
119 randomize(rng, bits, set_high_bit);
120}
121
122uint8_t BigInt::byte_at(size_t n) const {
123 return get_byte_var(sizeof(word) - (n % sizeof(word)) - 1, word_at(n / sizeof(word)));
124}
125
126int32_t BigInt::cmp_word(word other) const {
127 if(is_negative()) {
128 return -1; // other is positive ...
129 }
130
131 const size_t sw = this->sig_words();
132 if(sw > 1) {
133 return 1; // must be larger since other is just one word ...
134 }
135
136 return bigint_cmp(this->_data(), sw, &other, 1);
137}
138
139/*
140* Comparison Function
141*/
142int32_t BigInt::cmp(const BigInt& other, bool check_signs) const {
143 if(check_signs) {
144 if(other.is_positive() && this->is_negative()) {
145 return -1;
146 }
147
148 if(other.is_negative() && this->is_positive()) {
149 return 1;
150 }
151
152 if(other.is_negative() && this->is_negative()) {
153 return (-bigint_cmp(this->_data(), this->size(), other._data(), other.size()));
154 }
155 }
156
157 return bigint_cmp(this->_data(), this->size(), other._data(), other.size());
158}
159
160bool BigInt::is_equal(const BigInt& other) const {
161 if(this->sign() != other.sign()) {
162 return false;
163 }
164
165 return bigint_ct_is_eq(this->_data(), this->sig_words(), other._data(), other.sig_words()).as_bool();
166}
167
168bool BigInt::is_less_than(const BigInt& other) const {
169 if(this->is_negative() && other.is_positive()) {
170 return true;
171 }
172
173 if(this->is_positive() && other.is_negative()) {
174 return false;
175 }
176
177 if(other.is_negative() && this->is_negative()) {
178 return bigint_ct_is_lt(other._data(), other.sig_words(), this->_data(), this->sig_words()).as_bool();
179 }
180
181 return bigint_ct_is_lt(this->_data(), this->sig_words(), other._data(), other.sig_words()).as_bool();
182}
183
184void BigInt::encode_words(word out[], size_t size) const {
185 const size_t words = sig_words();
186
187 if(words > size) {
188 throw Encoding_Error("BigInt::encode_words value too large to encode");
189 }
190
191 clear_mem(out, size);
192 copy_mem(out, _data(), words);
193}
194
195void BigInt::Data::set_to_zero() {
196 m_reg.resize(m_reg.capacity());
197 clear_mem(m_reg.data(), m_reg.size());
198 m_sig_words = 0;
199}
200
201void BigInt::Data::mask_bits(size_t n) {
202 if(n == 0) {
203 return set_to_zero();
204 }
205
206 const size_t top_word = n / WordInfo<word>::bits;
207
208 if(top_word < size()) {
209 const word mask = (static_cast<word>(1) << (n % WordInfo<word>::bits)) - 1;
210 const size_t len = size() - (top_word + 1);
211 if(len > 0) {
212 clear_mem(&m_reg[top_word + 1], len);
213 }
214 m_reg[top_word] &= mask;
215 invalidate_sig_words();
216 }
217}
218
219size_t BigInt::Data::calc_sig_words() const {
220 const size_t sz = m_reg.size();
221 size_t sig = sz;
222
223 word sub = 1;
224
225 for(size_t i = 0; i != sz; ++i) {
226 const word w = m_reg[sz - i - 1];
227 sub &= ct_is_zero(w);
228 sig -= sub;
229 }
230
231 /*
232 * This depends on the data so is poisoned, but unpoison it here as
233 * later conditionals are made on the size.
234 */
235 CT::unpoison(sig);
236
237 return sig;
238}
239
240/*
241* Return bits {offset...offset+length}
242*/
243uint32_t BigInt::get_substring(size_t offset, size_t length) const {
244 if(length == 0 || length > 32) {
245 throw Invalid_Argument("BigInt::get_substring invalid substring length");
246 }
247
248 const uint32_t mask = 0xFFFFFFFF >> (32 - length);
249
250 const size_t word_offset = offset / WordInfo<word>::bits;
251 const size_t wshift = (offset % WordInfo<word>::bits);
252
253 /*
254 * The substring is contained within one or at most two words. The
255 * offset and length are not secret, so we can perform conditional
256 * operations on those values.
257 */
258 const word w0 = word_at(word_offset);
259
260 if(wshift == 0 || (offset + length) / WordInfo<word>::bits == word_offset) {
261 return static_cast<uint32_t>(w0 >> wshift) & mask;
262 } else {
263 const word w1 = word_at(word_offset + 1);
264 return static_cast<uint32_t>((w0 >> wshift) | (w1 << (WordInfo<word>::bits - wshift))) & mask;
265 }
266}
267
268/*
269* Convert this number to a uint32_t, if possible
270*/
271uint32_t BigInt::to_u32bit() const {
272 if(is_negative()) {
273 throw Encoding_Error("BigInt::to_u32bit: Number is negative");
274 }
275 if(bits() > 32) {
276 throw Encoding_Error("BigInt::to_u32bit: Number is too big to convert");
277 }
278
279 uint32_t out = 0;
280 for(size_t i = 0; i != 4; ++i) {
281 out = (out << 8) | byte_at(3 - i);
282 }
283 return out;
284}
285
286/*
287* Clear bit number n
288*/
289void BigInt::clear_bit(size_t n) {
290 const size_t which = n / WordInfo<word>::bits;
291
292 if(which < size()) {
293 const word mask = ~(static_cast<word>(1) << (n % WordInfo<word>::bits));
294 m_data.set_word_at(which, word_at(which) & mask);
295 }
296}
297
298size_t BigInt::bytes() const {
299 return round_up(bits(), 8) / 8;
300}
301
302size_t BigInt::top_bits_free() const {
303 const size_t words = sig_words();
304
305 const word top_word = word_at(words - 1);
306 const size_t bits_used = high_bit(CT::value_barrier(top_word));
307 CT::unpoison(bits_used);
308 return WordInfo<word>::bits - bits_used;
309}
310
311size_t BigInt::bits() const {
312 const size_t words = sig_words();
313
314 if(words == 0) {
315 return 0;
316 }
317
318 const size_t full_words = (words - 1) * WordInfo<word>::bits;
319 const size_t top_bits = WordInfo<word>::bits - top_bits_free();
320
321 return full_words + top_bits;
322}
323
324/*
325* Return the negation of this number
326*/
328 BigInt x = (*this);
329 x.flip_sign();
330 return x;
331}
332
334 if(p.is_negative() || this->is_negative()) {
335 throw Invalid_Argument("BigInt::reduce_below both values must be positive");
336 }
337
338 const size_t p_words = p.sig_words();
339
340 if(size() < p_words + 1) {
341 grow_to(p_words + 1);
342 }
343
344 if(ws.size() < p_words + 1) {
345 ws.resize(p_words + 1);
346 }
347
348 clear_mem(ws.data(), ws.size());
349
350 size_t reductions = 0;
351
352 for(;;) {
353 word borrow = bigint_sub3(ws.data(), _data(), p_words + 1, p._data(), p_words);
354 if(borrow > 0) {
355 break;
356 }
357
358 ++reductions;
359 swap_reg(ws);
360 }
361
362 return reductions;
363}
364
365void BigInt::ct_reduce_below(const BigInt& mod, secure_vector<word>& ws, size_t bound) {
366 if(mod.is_negative() || this->is_negative()) {
367 throw Invalid_Argument("BigInt::ct_reduce_below both values must be positive");
368 }
369
370 const size_t mod_words = mod.sig_words();
371
372 grow_to(mod_words);
373
374 const size_t sz = size();
375
376 ws.resize(sz);
377
378 clear_mem(ws.data(), sz);
379
380 for(size_t i = 0; i != bound; ++i) {
381 word borrow = bigint_sub3(ws.data(), _data(), sz, mod._data(), mod_words);
382
383 CT::Mask<word>::is_zero(borrow).select_n(mutable_data(), ws.data(), _data(), sz);
384 }
385}
386
387/*
388* Return the absolute value of this number
389*/
391 BigInt x = (*this);
393 return x;
394}
395
396/*
397* Encode this number into bytes
398*/
399void BigInt::serialize_to(std::span<uint8_t> output) const {
400 BOTAN_ARG_CHECK(this->bytes() <= output.size(), "Insufficient output space");
401
402 this->binary_encode(output.data(), output.size());
403}
404
405/*
406* Encode this number into bytes
407*/
408void BigInt::binary_encode(uint8_t output[], size_t len) const {
409 const size_t full_words = len / sizeof(word);
410 const size_t extra_bytes = len % sizeof(word);
411
412 for(size_t i = 0; i != full_words; ++i) {
413 const word w = word_at(i);
414 store_be(w, output + (len - (i + 1) * sizeof(word)));
415 }
416
417 if(extra_bytes > 0) {
418 const word w = word_at(full_words);
419
420 for(size_t i = 0; i != extra_bytes; ++i) {
421 output[extra_bytes - i - 1] = get_byte_var(sizeof(word) - i - 1, w);
422 }
423 }
424}
425
426/*
427* Set this number to the value in buf
428*/
429void BigInt::assign_from_bytes(std::span<const uint8_t> bytes) {
430 clear();
431
432 const size_t length = bytes.size();
433 const size_t full_words = length / sizeof(word);
434 const size_t extra_bytes = length % sizeof(word);
435
436 secure_vector<word> reg((round_up(full_words + (extra_bytes > 0 ? 1 : 0), 8)));
437
438 for(size_t i = 0; i != full_words; ++i) {
439 reg[i] = load_be<word>(bytes.last<sizeof(word)>());
440 bytes = bytes.first(bytes.size() - sizeof(word));
441 }
442
443 if(!bytes.empty()) {
444 BOTAN_ASSERT_NOMSG(extra_bytes == bytes.size());
445 std::array<uint8_t, sizeof(word)> last_partial_word = {0};
446 copy_mem(std::span{last_partial_word}.last(extra_bytes), bytes);
447 reg[full_words] = load_be<word>(last_partial_word);
448 }
449
450 m_data.swap(reg);
451}
452
453void BigInt::ct_cond_add(bool predicate, const BigInt& value) {
454 if(this->is_negative() || value.is_negative()) {
455 throw Invalid_Argument("BigInt::ct_cond_add requires both values to be positive");
456 }
457 const size_t v_words = value.sig_words();
458
459 this->grow_to(1 + v_words);
460
461 const auto mask = CT::Mask<word>::expand(static_cast<word>(predicate)).value();
462
463 word carry = 0;
464
465 word* x = this->mutable_data();
466 const word* y = value._data();
467
468 for(size_t i = 0; i != v_words; ++i) {
469 x[i] = word_add(x[i], y[i] & mask, &carry);
470 }
471
472 for(size_t i = v_words; i != size(); ++i) {
473 x[i] = word_add(x[i], static_cast<word>(0), &carry);
474 }
475}
476
477void BigInt::ct_shift_left(size_t shift) {
478 auto shl_bit = [](const BigInt& a, BigInt& result) {
479 BOTAN_DEBUG_ASSERT(a.size() + 1 == result.size());
480 bigint_shl2(result.mutable_data(), a._data(), a.size(), 1);
481 // shl2 may have shifted a bit into the next word, which must be dropped
482 clear_mem(result.mutable_data() + result.size() - 1, 1);
483 };
484
485 auto shl_word = [](const BigInt& a, BigInt& result) {
486 // the most significant word is not copied, aka. shifted out
487 bigint_shl2(result.mutable_data(), a._data(), a.size() - 1 /* ignore msw */, WordInfo<word>::bits);
488 // we left-shifted by a full word, the least significant word must be zero'ed
489 clear_mem(result.mutable_data(), 1);
490 };
491
493
494 constexpr size_t bits_in_word = sizeof(word) * 8;
495 const size_t word_shift = shift >> ceil_log2(bits_in_word); // shift / bits_in_word
496 const size_t bit_shift = shift & ((1 << ceil_log2(bits_in_word)) - 1); // shift % bits_in_word
497 const size_t iterations = std::max(size(), bits_in_word) - 1; // uint64_t i; i << 64 is undefined behaviour
498
499 // In every iteration, shift one bit and one word to the left and use the
500 // shift results only when they are within the shift range.
501 BigInt tmp;
502 tmp.resize(size() + 1 /* to hold the shifted-out word */);
503 for(size_t i = 0; i < iterations; ++i) {
504 shl_bit(*this, tmp);
505 ct_cond_assign(i < bit_shift, tmp);
506 shl_word(*this, tmp);
507 ct_cond_assign(i < word_shift, tmp);
508 }
509}
510
511void BigInt::ct_cond_swap(bool predicate, BigInt& other) {
512 const size_t max_words = std::max(size(), other.size());
513 grow_to(max_words);
514 other.grow_to(max_words);
515
516 bigint_cnd_swap(static_cast<word>(predicate), this->mutable_data(), other.mutable_data(), max_words);
517}
518
519void BigInt::cond_flip_sign(bool predicate) {
520 // This code is assuming Negative == 0, Positive == 1
521
522 const auto mask = CT::Mask<uint8_t>::expand_bool(predicate);
523
524 const uint8_t current_sign = static_cast<uint8_t>(sign());
525
526 const uint8_t new_sign = mask.select(current_sign ^ 1, current_sign);
527
528 set_sign(static_cast<Sign>(new_sign));
529}
530
531void BigInt::ct_cond_assign(bool predicate, const BigInt& other) {
532 const size_t t_words = size();
533 const size_t o_words = other.size();
534
535 if(o_words < t_words) {
536 grow_to(o_words);
537 }
538
539 const size_t r_words = std::max(t_words, o_words);
540
541 const auto mask = CT::Mask<word>::expand_bool(predicate);
542
543 for(size_t i = 0; i != r_words; ++i) {
544 const word o_word = other.word_at(i);
545 const word t_word = this->word_at(i);
546 this->set_word_at(i, mask.select(o_word, t_word));
547 }
548
549 const auto same_sign = CT::Mask<word>::is_equal(sign(), other.sign()).as_choice();
550 cond_flip_sign((mask.as_choice() && !same_sign).as_bool());
551}
552
554 CT::poison(m_data.const_data(), m_data.size());
555}
556
558 CT::unpoison(m_data.const_data(), m_data.size());
559}
560
561} // namespace Botan
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:129
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
void ct_cond_add(bool predicate, const BigInt &value)
Definition bigint.cpp:453
size_t sig_words() const
Definition bigint.h:615
BigInt()=default
bool is_equal(const BigInt &n) const
Definition bigint.cpp:160
static BigInt decode(const uint8_t buf[], size_t length)
Definition bigint.h:857
BigInt & sub(const word y[], size_t y_words, Sign sign)
Definition bigint.h:316
void set_word_at(size_t i, word w)
Definition bigint.h:549
word * mutable_data()
Definition bigint.h:640
void ct_cond_assign(bool predicate, const BigInt &other)
Definition bigint.cpp:531
size_t size() const
Definition bigint.h:609
void grow_to(size_t n) const
Definition bigint.h:666
void resize(size_t s)
Definition bigint.h:668
uint32_t to_u32bit() const
Definition bigint.cpp:271
void flip_sign()
Definition bigint.h:586
size_t top_bits_free() const
Definition bigint.cpp:302
void ct_reduce_below(const BigInt &mod, secure_vector< word > &ws, size_t bound)
Definition bigint.cpp:365
bool is_less_than(const BigInt &n) const
Definition bigint.cpp:168
int32_t cmp(const BigInt &n, bool check_signs=true) const
Definition bigint.cpp:142
void ct_shift_left(size_t shift)
Definition bigint.cpp:477
void binary_encode(uint8_t buf[]) const
Definition bigint.h:732
word word_at(size_t n) const
Definition bigint.h:547
void randomize(RandomNumberGenerator &rng, size_t bitsize, bool set_high_bit=true)
Definition big_rand.cpp:18
int32_t cmp_word(word n) const
Definition bigint.cpp:126
void cond_flip_sign(bool predicate)
Definition bigint.cpp:519
static BigInt from_string(std::string_view str)
Definition bigint.cpp:83
void _const_time_unpoison() const
Definition bigint.cpp:557
void serialize_to(std::span< uint8_t > out) const
Definition bigint.cpp:399
static BigInt from_bytes(std::span< const uint8_t > bytes)
Definition bigint.cpp:87
size_t bits() const
Definition bigint.cpp:311
BigInt operator-() const
Definition bigint.cpp:327
void _const_time_poison() const
Definition bigint.cpp:553
uint8_t byte_at(size_t n) const
Definition bigint.cpp:122
static BigInt from_u64(uint64_t n)
Definition bigint.cpp:29
void clear()
Definition bigint.h:399
void clear_bit(size_t n)
Definition bigint.cpp:289
const word * _data() const
Definition bigint.h:936
Sign sign() const
Definition bigint.h:571
void encode_words(word out[], size_t size) const
Definition bigint.cpp:184
static BigInt from_s32(int32_t n)
Definition bigint.cpp:41
void ct_cond_swap(bool predicate, BigInt &other)
Definition bigint.cpp:511
BigInt abs() const
Definition bigint.cpp:390
static BigInt from_word(word n)
Definition bigint.cpp:34
size_t reduce_below(const BigInt &mod, secure_vector< word > &ws)
Definition bigint.cpp:333
bool is_negative() const
Definition bigint.h:559
static BigInt from_bytes_with_max_bits(const uint8_t buf[], size_t length, size_t max_bits)
Definition bigint.cpp:101
size_t bytes() const
Definition bigint.cpp:298
bool is_positive() const
Definition bigint.h:565
static BigInt with_capacity(size_t n)
Definition bigint.cpp:50
void swap_reg(secure_vector< word > &reg)
Definition bigint.h:198
void set_sign(Sign sign)
Definition bigint.h:592
uint32_t get_substring(size_t offset, size_t length) const
Definition bigint.cpp:243
static constexpr Mask< T > expand(T v)
Definition ct_utils.h:420
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:470
static constexpr Mask< T > expand_bool(bool v)
Definition ct_utils.h:425
static constexpr Mask< T > is_zero(T x)
Definition ct_utils.h:465
constexpr T value_barrier(T x)
Definition ct_utils.h:277
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:65
constexpr void poison(const T *p, size_t n)
Definition ct_utils.h:54
constexpr void bigint_cnd_swap(W cnd, W x[], W y[], size_t size)
Definition mp_core.h:31
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
Definition mem_utils.h:28
constexpr auto word_add(W x, W y, W *carry) -> W
Definition mp_asmi.h:191
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
constexpr auto bigint_sub3(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:194
constexpr size_t round_up(size_t n, size_t align_to)
Definition rounding.h:26
constexpr uint8_t ceil_log2(T x)
Definition bit_ops.h:120
constexpr auto bigint_ct_is_eq(const W x[], size_t x_size, const W y[], size_t y_size) -> CT::Mask< W >
Definition mp_core.h:508
constexpr int32_t bigint_cmp(const W x[], size_t x_size, const W y[], size_t y_size)
Definition mp_core.h:428
constexpr void bigint_shl2(W y[], const W x[], size_t x_size, size_t shift)
Definition mp_core.h:352
void carry(int64_t &h0, int64_t &h1)
BOTAN_FORCE_INLINE constexpr size_t high_bit(T n)
Definition bit_ops.h:56
constexpr auto bigint_ct_is_lt(const W x[], size_t x_size, const W y[], size_t y_size, bool lt_or_equal=false) -> CT::Mask< W >
Definition mp_core.h:475
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
constexpr uint8_t get_byte_var(size_t byte_num, T input)
Definition loadstor.h:69
std::conditional_t< HasNative64BitRegisters, std::uint64_t, uint32_t > word
Definition types.h:119
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:119
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504
BOTAN_FORCE_INLINE constexpr T ct_is_zero(T x)
Definition bit_ops.h:35